Personal Data Protection Policy
1. Introduction and scope
This Personal Data Protection Policy (the “Policy”) describes the privacy practices of Custom House regarding the Processing of Personal Data of the directors, officers, and employees of Custom House Clients and– to the extent applicable – the Clients’ investors and/or the relevant Client Affiliates, as part of the provision of Custom House’s Services.
This Personal Data can be stored on Custom House systems, or third-party systems to which Custom House is provided access to for the provision of Services. Where Custom House provides Services to its Clients, Custom House will be acting as Processor and the Client will be acting as Controller. This Policy applies globally to any and all Services provided by Custom House to its Clients.
Custom House Processes Personal Data on behalf of the Client in accordance with Data Protection Laws. Insofar as is necessary, the Service Agreement will be supplemented with an addendum to set out any additional matters that are specific to the Client and cannot be regulated in this Policy.
This Policy is available upon request. Custom House reserves the right to update this Policy without consulting or pre-informing its Clients. To the extent that any change may materially affect the Client or its responsibilities under Data Protection Laws, Custom House shall use reasonable endeavours to notify the Client of such changes.
This Policy was last updated on: (May 23rd, 2018)
The capitalized terms listed below have the follow meaning in this Policy:
Client: The counterparty to the Service Agreement with Custom House;
Client Affiliate: Means any legal entity affiliated to the Client;
Client Data Subjects: The former and current directors, officers and employees and investors of the Client and Client Affiliates;
Client Verification Requirements: The document which sets out which personal information is required to be provided by the Client Data Subjects in order for Custom House to provide the Services;
Controller: The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data;
Custom House: Custom House Global Fund Services Limited and each Custom House Affiliate that is the contracting entity to the Service Agreement;
Custom House Affiliate: Means any entity directly or indirectly controlled by or under direct or indirect common control of Custom House Global Fund Services Limited. For the purpose of this definition, “control”, when used in respect to any entity means the power to direct or cause the direction of the management or policies of such entity, whether through ownership of voting securities or by contract or otherwise. The terms “controlling” and “control” have meaning correlative to the foregoing.
Data Protection Laws: In relation to any Personal Data which is Processed in the performance of the Service Agreement, the General Data Protection Regulation (EU) 2016/679 (“GDPR”) together with all implementing laws and any other applicable data protection, privacy laws or privacy regulations;
Personal Data: Any information through which a Client Data Subject can be identified directly or indirectly;
Personal Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data;
Processing: Any operation or set of operations which is performed upon Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
Processor: The party, which Processes Personal Data on behalf of the Controller;
Service Agreement : Any written contract, any written statement of work, or any other written binding agreement, including any annexes thereto, between Custom House and the Client;
Services: As provided by Custom House to the Client under the Service Agreement
Sub processor : Any data processor appointed by Processor to process Personal Data on behalf of the Controller;
3. Personal data processed by Custom House
The details of the Personal Data that will be Processed by Custom House on behalf of the Client, including the duration, purpose and categories of Personal Data, will be set out in the Client Verification Requirements which will be accompanied by this policy.
4. Use of Personal Data
Custom House shall not Process, transfer, modify, amend or alter the Personal Data or disclose or permit the disclosure of the Personal Data to any third party other than:
- as necessary to process Personal Data to provide the Services and/or otherwise in accordance with the documented instructions of Client mutually agreed upon by the Parties; or
- as required to comply with Data Protection Laws or other laws to which Custom House is subject, in which case Custom House shall (to the extent permitted by law) inform Client of that legal requirement before processing the Personal Data.
5. Sub processing
Custom House may be required to appoint certain third parties to provide part of the Services to the Client or assist with providing technical support, such as IT service providers or other suppliers. By signing the Service Agreement, the Client provides a general authorisation for Custom House to subcontract the Processing of Personal Data to Sub processors. Sub processors are in each case subject to data processing terms between Custom House and the Sub processor which are no less protective than those set out in this Policy and the Service Agreement.
Upon written request by the Client Custom House will inform the Client of the details of such Sub processor(s).
Custom House will inform the Client in advance of any intended changes concerning the addition or replacement of Sub processors and thereby give the Client the opportunity to object to such changes. If the Client does not object in writing within five (5) days of receipt of the notice, the Client is deemed to have accepted the new Sub processor. If the Client does object in writing within five (5) days of receipt of the notice, Custom House and the Client will discuss possible resolutions.
6. Confidentiality and security
Custom House shall keep the Personal Data confidential and will instruct its staff and Sub processors to do the same. Custom House shall implement appropriate technical and organisational measures to ensure a level of security of the Personal Data appropriate to the risk required pursuant to applicable Data Protection Laws and, where the Processing concerns personal data of EU residents, shall take all measures required pursuant to article 32 GDPR.
In assessing the appropriate level of security, Custom House shall take into account in particular, the risks that are presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed.
7. Co-operating with requests of the Client
Custom House shall, upon request and to the extent required under Data Protection Laws, co-operate with requests of the Client that relate to the Processing of Personal Data. In particular, Custom House shall co-operate with requests that relate to Client Data Subject rights, Data Protection Impact Assessments and audit rights as described below.
Client Data Subject rights: Custom House shall co-operate as requested by the Client to enable the Client to comply with any exercise of rights by a Client Data Subject in respect of Personal Data and comply with any assessment, enquiry, notice or investigation by the applicable data protection national supervisory authority under Data Protection Laws. Provided in each case that the Client shall reimburse Custom House in full for all costs (including for internal resources and any third-party costs) reasonably incurred by Custom House in performing its obligation under this section.
Data Protection Impact Assessment: Custom House shall provide reasonable assistance to the Client with any data protection impact assessments which are required under Article 35 GDPR and with any prior consultations to any supervisory authority of the Client which are required under Article 36 GDPR, in each case in relation to Processing of Personal Data by Custom House on behalf of the Client and taking into account the nature of the processing and information available to Custom House.
Audit rights: On reasonable request and notice and at the Client’s expense, Custom House will co-operate in the conduct of any audit or inspection, reasonably necessary to demonstrate Custom House’s compliance with the obligations laid down in this Policy, provided always that this requirement will not oblige Custom House to provide or permit access to information concerning: (i) Supplier internal pricing information; (ii) information relating to Custom House’s other Clients; (iii) any of Custom House non-public external reports; (iv) Custom House confidential information, or (v) any internal reports prepared by Custom House internal audit function.
8. Deletion or return of Client Personal Data
Custom House will, at the choice of the Client, delete or return the Personal Data at the end of the provision of the Services relating to Processing, to the extent reasonably possible and unless (i) Data Protection Laws, (ii) any law, statute, order, regulation, rule, requirement, operational requirements and guidelines of any government, regulatory authority or self-regulating organization that applies to the Services in the country where those Services are being provided (“Applicable Law”), or (iii) competent court, supervisory or regulatory body, require the retention of such Personal Data by Custom House.
9. Incident management
Custom House shall notify the Client without undue delay after becoming aware of a personal data breach, providing the Client with sufficient information which allows the Client to meet any obligations to report a data breach under Data Protection Laws. Upon request by the Client and at the full expense of the Client for all costs incurred by Custom House (including for internal resources and any third party costs), Custom House shall fully co-operate with the Client and take such reasonable steps as are directed by the Client to assist in the investigation, mitigation and remedy of each data breach, in order to enable the Client to (i) perform a thorough investigation into the data breach, (ii) formulate a correct response and to take suitable further steps in respect of the data breach in order to meet any requirement under the Data Protection Laws.
The decision to inform Client Data Subjects about a data breach shall be the sole responsibility of the Client and Custom House shall take no responsibility for any assessment or decision relating to notification of data breaches to Client Data Subjects. Any such notification shall be carried out at the Client’s sole expense.
10. International transfers of client personal data
In the event of international transfers of Personal Data between Custom House and any Sub processor, the following shall apply (insofar relevant):
- The Personal Data may, at the discretion of Custom House, be transferred to (i) one or more of Custom House Affiliates in either one or more Member States of the European Economic Area (“EEA”) on the basis of Data Protection Laws, or to (ii) one or more of the Custom House Affiliates in one or more third countries, and each Custom House Affiliate in a third country will be signing a Data Processing Agreement with Custom House, including appropriate safeguards for third-country transfers under Data Protection Laws as necessary. The Client or the relevant Custom House Subsidiary shall upon request of the Client Data Subject, provide the Client Data Subject with a copy of such Data Processing Agreement and this Policy (without any business sensitive or confidential information).
- The Personal Data may be transferred (i) to one or more Sub processors (other than Custom House Affiliates) in one or more Member States of the EEA or Switzerland on the basis of Data Protection Laws pursuant to the Clients’ general authorisation for the appointment of such sub processors pursuant to section 5 of this Policy, or (ii) to one or more such Sub processors in one or more third countries on the basis of any of the derogations listed in Article 49 of the GDPR, including without limitation, that such transfer is necessary for the performance of a contract with the data subject or with third parties or for the exercise and defence of legal claims, or (iii) on the basis of adequate safeguards added either, insofar as allowed under Data Protection Laws, by Custom House to ensure the protection of the Personal Data, or by the Client, in which case Custom House shall cooperate with the Client to seek an adequate basis for the cross-border transfer of Personal Data to such Sub processor. At the Client’s request, Custom House shall inform the Client of the applicable basis for the cross-transfer of the Personal Data.
- Where the data protection or privacy law of any country outside the EEA or Switzerland applies to the Personal Data, the Client warrants that any cross-border transfer of Personal Data from Custom House to a Sub processor shall be allowed, by implementing additional safeguards pursuant to Data Protection Laws or as otherwise permitted by Data Protection Laws.
The Client warrants that all Personal Data processed by Custom House on behalf of the Client has been and shall be Processed by the Client in accordance with Data Protection Laws including without limitation: (a) ensuring that all notifications to and approvals from regulators which are required by Data Protection Laws are made and maintained by the Client; and (b) ensuring that all Personal Data is Processed fairly and lawfully, is accurate and up to date and that a fair notice is provided to Client Data Subjects which described the processing to be undertaken by Custom House pursuant to the Services agreed upon in the Service Agreement.
By signing the Service Agreement, the Client shall indemnify and hold Custom House harmless against all claims, actions, third party or relevant local supervisory authority claims, losses, damages, administrative fines, penalties and expenses arising from any breach by the Client of this Policy or any of its obligations as a Controller under Data Protection Laws.
The exclusions and limitations of the liability of Custom House set out in the Service Agreement shall also apply to this Policy.
Date adopted: May 23rd, 2018
Editor: Dermot Mockler, Edwin van den Berg
Description: Initial adoption